Hello.
On a Mac mini running OS Catalina, we have file sharing enabled for a specific folder.
However. when users connect to the computer with file sharing enabled, the shared folder shows in the finder, as well as the entire hard drive, the user folder and external volumes.
Is there a way to fix this so only the shared file connects?
Mac mini, macOS 10.15
File Sharing does not connect a login with any specific folder.
File Sharing is essentially logging into the Mac from the network.
If you log into a Mac with a user that exists on the Mac, you have all of the access that you would if you logged into that Mac directly.
You can create Sharing Only users which have no local accounts on the Mac. You can then give those users access to specific locations. You can also create Groups which can have many users so you can give multiple users access with a single entry.
File Sharing does not connect a login with any specific folder.
File Sharing is essentially logging into the Mac from the network.
If you log into a Mac with a user that exists on the Mac, you have all of the access that you would if you logged into that Mac directly.
You can create Sharing Only users which have no local accounts on the Mac. You can then give those users access to specific locations. You can also create Groups which can have many users so you can give multiple users access with a single entry.
Also, are you testing this with an account on the client that exists on the Server. Catalina (and probably Mojave) cache the user credentials and even if you think you are logging in with the Sharing Only user credentials, you get logged in with the Mac credentials.
I created the following hierarchy:
/Users/Shared/Sharing Test -- group: tester read only, everyone: no access
./Share A -- group: tester read & write, everyone: no access
./Share B -- group: otherGroup read & write, everyone: no access.
/Users/Shared had standard permissions.
The other permissions are POSIX permissions set up on the server.
In File Sharing, I added tester group with Read/Write and everyone: no access.
If I log in via a sharing only user that is a member of tester, I can only see Share A.
If you want this to act as a file server, you'll need to add the following ACL to the top-level folder you are sharing, and all children (-R) if it already has contents:
"group:<groupName> allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,file_inherit,directory_inherit"
In order to connect to a shared folder, the enclosing folder must have read access to that group or everyone.
Since they have read access to the parent folder, they should be able to see into that and any subfolders where everyone has read access. When connecting, they should only be able to see the folders shared to them and the parent folder.
If they are seeing more than that, they somehow have permission to read all of that.
Where does the folder reside on the file system?
Is this significant?
Probably. It isn't logging in as your Sharing user but as another user tied to that AppleID.
You can disconnect, then Connect As and use the Sharing Only user credentials, but as I noted, I've seen where the cached credentials are used instead of the ones you enter (just based on what I see presented as available shares).
AppleID's are for individuals, not computers.
You can set up a "management" AppleID for purchases and licensing to use with every Mac, but each person should have their own AppleID they sign into.
Splitting them up will likely cause you other problems, I imagine.
I don't know if Apple has some sort of corporate sharing like Family Sharing.
Hello.
Thanks for your reply.
We do have Sharing Only users in a group called "Staff." Under System Preferences/Sharing, we have File Sharing checked and in the Shared Folders window we have one folder selected: "Shared Files." The staff group has permission to Read and Write the Shared Files folder.
If I uncheck File Sharing the Sharing Only users cannot connect at all.
Is there a better way to limit the sharing so only the Shared Files folder is accessible?
Hello.
Thank you for those replies. I will try those suggestions.
One issue I do want to ask about. I have noticed that when users connect, it shows they are not connected by their individual user name but instead for the name associated with our iCloud account (which is shared among users, just for the find my mac feature).
Is this significant?
"Staff" is not the actual name of the group. It has a different name, which I did not want to post online.
Thanks again. Yes--setting up separate iCloud accounts is a project our ours.
Staff has access to almost everything.
Create another group and use that. You can create the group in Users & Groups.
Files Sharing Showing All Folders and Volumes